Beruflich Dokumente
Kultur Dokumente
Summary: Passive techniques have been used for years in diagnostic capacities, and more
recently in Intrusion detection capacities. For an almost equal number of years hackers have used
extremely basic sniffing techniques to leverage attacks deeper and deeper into their target's
networks. Sophisticated attackers and well-funded agencies will certainly begin to leverage more
and more use out of well-crafted, well-executed passive attacks. This presentation will demonstrate
the evolution of passive attack techniques, and speculate as to the future use of these techniques. In
addition, the concept of a “global information black market” will be introduced as the culmination
of a distributed passive architecture.
Presentation Style: Network traffic snapshots will be provided of all examples and data stream
passes in slide format. Slides will show both a high level view of network traffic, as well as a very
high-resolution drilldown of the fields the example focuses on. Traffic capture and presentation will
employ tools such as Snort, tcpdump and ethereal. Once individual information “Segments” are
collected, the sum total of all the information will be presented at the end of each section.
Intended audience: In general, most Blackhat attendees will have an understanding of basic
sniffing techniques. This knowledge will serve as an excellent bridge to the newer concepts and
more technical aspects of this presentation. Attendees involved in both the attack and defense
realms of Information Security will be illuminated as to the global implications of advanced IG
techniques, which may not easily blocked.
Presenter BIO: Johnny Long has been involved with “both sides of the security fence” for many
years. As a professional network security assessment engineer, Mr. Long has developed and
performed network and physical security assessments for both the Department of Defense and the
commercial sector. As an instructor, Mr. Long has developed and instructed technical security
courses for the Air Force Information Warfare Center (AFIWC), the U.S. Army 301st Military
Intelligence Battalion (301st MI), the Department of Justice, the National Security Agency, NASA,
SANS and several commercial clients. Mr. Long’s involvement in attack, defense and forensic
analysis for multinational information security incidents affords him a unique perspective on the
industry. A natural “people person”, Mr. Long has received high reviews for both his presentation
skills, as well as his ability to relate very technical material in a way that is easy to understand.
Note: This document is DRAFT, and will be fleshed out much more for the conference.
A. Authentication extraction
Authentication extraction, or “password sniffing” is among the most basic of the
passive-aggressive techniques. Several publicly available tools enable an attacker to
extract the authentication information from a network data stream. In many cases,
the authentication information travels in the clear. In more modern examples, the
data is encoded or encrypted, adding a second step to the process of extraction. The
most commonly captured data comes from the following streams:
POP
FTP
TELNET
RLOGIN
RSH
REXEC
SNMP
HTTP Basic AUTH
NETBIOS plaintext
NETBeui encrypted
Novell encrypted
Terminology:
An attacker with access to a production data stream will capture an “inline stream”
An inline stream that captures useful, normal network activity is termed an “inline production
stream.”
If an attacker creates, lures, or otherwise obtains a useful data stream from outside the target
network, that data stream is termed a “remote stream.”
To understand how an advanced IG specialist will operate it is important to first understand exactly
how much data can be extracted from a small piece of data. As an example, we will take a look at a
single TCP packet to get an idea of the information that can be extrapolated from this single packet.
(Several slides and zooms through a single TCP packet, touching briefly on the various sections
that will be mentioned here)
To adequately describe the details an expert will pull from a data stream, a production, inline
stream will be assessed using a variety of different passes. Although the various passes could
certainly be performed in any order, analyzing the stream in passes clarifies the presence of
information by type. The example stream was extracted from a production machine located within
a DMZ, nestled between a pair firewalls garnished with a matching pair of Intrusion Detection
Systems (IDS). The attacker surgically and slowly attacked the target machine, avoiding the IDS
system. The attacker then compromised a machine, and set it into passive mode.
A. Log reduction
Due to the size of the data collected, and the ultimate purpose of the stream interpretation, log
reduction schemes may be employed. For example, if the attacker is only interested in a passive
mapping exercise, any unused information in the data portion of the stream may be removed. If the
attacker is interested in more information, reduction may be skipped, and standard compression
techniques opted for.
1. Tokenize connections
A token is simply a representation of a large amount of data. By creating “element” tokens from
pieces of the data stream, the attacker can easily compress data for transit. This is a common
technique employed by modern IDS systems. For example, several pieces of the TCP session may
be reduced:
1. Reducing tokens
Once tokens are created, the “element” tokens are combined and further reduced to create “object”
tokens which describe the entity.
Once an adequate data stream is collected, an advanced attacker’s tool will use detected protocol
distributions to determine the protocol to offload the data with. Common traffic may include port
25 (SMTP) port 80 (HTTP) or port 21 (FTP). The attacker will certainly embed various offload
techniques to allow for varying terrains.
I. Parsing the stream Pass #7: Watch the watchers watching the
watcher!?!
If the attacker has access to an inline production stream, it is possible to determine various security
and response mechanisms that may be in place:
Unsuccessful attacks provide a list of which exploits not to try. These unsuccessful attacks can also
be analyzed to determine syntactical errors, which could be corrected by the attacker.
Successful attacks provide a free roadmap of vulnerabilities. The attacker can simply follow in the
footsteps of the monitored intruder.
Instead of following the intruder, an advanced attacker may simply continue to monitor the
offloaded stream, gathering all the data the intruder accessed. Typically, password files and
configuration files will be accessed during the intruders session. This data can be used without the
advanced attacker logging in.
Out-of band IG: Once an encrypted stream is parsed and statistical analysis fails, the focus will
shift to out-of-band data IG. As en example, a typical encryption stream will be point to point;
secure shell terminal connections are a good example or this. When a security-conscious user uses
SSH to connect to a remote machine, only the terminal connection itself is encrypted (as well as
user-defined forwarded ports). The TCP/IP headers are not encrypted, allowing thumbprinting
analysis mentioned above. Support service calls are not encrypted. This will include DNS, WINS,
ARP, and ICMP traffic. If the SSH server requires these services, the calls will be made in the
clear, and should appear in the stream (depending on your proximity to the machines). If the user
executes a command across the encrypted pipe that requires name resolution, the stream shows that
information. This presents a secondary method of attacking the encrypted session: attacking or
spoofing the DNS server or other trusted service.
Assumed trusts: Several popular crypto solutions require time stamp and correction services. In
general, time references become a part of the crypto equation. Many vendors utilize the standard
Network Time Protocol (NTP). These requests and responses happen in the clear. As part of the IG
process, these and similar data sources’ data streams should be parsed. Gaining access to a trusted
service or host may leverage compromise of the trusting host, or a denial of service to the
encryption technique through spoofed skewed time responses.
Target priority advancement: Once an encrypted stream is discovered, the source and destination of
the encrypted stream become higher-profile targets. All other traffic from these two boxes will be
examined more carefully.
A. Open Source IG
Open source information gathering involves searching public resources for information about a
target. Online resources can be queried through sites like samspade.org, or queried directly through
proxy chaining. Sources may include any of the following:
Microsoft has recently “locked down” its Office suite of applications by disabling automatic macro
launch unless authorized by the user. Unfortunately, MS Access VBA was not afforded the same
protection.
(See the detailed write-up of the Trojan VBA code attached. This will be released to bugtraq
shortly)
(Several methods will be demonstrated here, including a Java listener, a JavaScript info scoop, and
perhaps a Flash file pop.)
Software pirates currently employ this technique to acquire a larger personal library of pirated
software. A typical software pirate may gather software he has no intent of using. This software
simply serves as currency on the “pirate market” for the barter of more software. Eventually,
pirates actually get the software they are interested in through the process of bartering against the
market.
Applying this methodology to the passive IG scenario, several attackers monitor any streams they
have access to, including their local Internet connections. Like software pirates collecting software,
the collected data of an IG “player” may not be of any interest whatsoever to the player that collects
it. Instead, the data is used to barter for more relevant data from other players. These players could
even collect data from their own Internet connections including ISP dial-ups/shell accounts, ISDN
connections, cable modem segments and DSL segments. An expert in IG will find all sorts of
relevant data from their own local data streams:
An interesting twist to the use of this product is to exchange interesting data streams using the
existing tool. This can be done in a few ways: by transferring non-mp3 files, or by using
steganography to embed the data into actual mp3 files. The naming conventions of the mp3 files
could adequately describe the source and destination addresses of all the involved hosts.
ISP-installed black-box wired to FSB (ex-KGB) HQ allow agencies to monitor all Internet traffic:
Tax police
Interior Ministry police
Kremlin
Parliament Security Guards
Presidential Security Guards
Border Patrol
Customs
No warrants needed